CVE-2022-32169: Incorrect Permission Assignment for Critical Resource

September 28, 2022 (updated November 7, 2023)

The “Bytebase” application does not restrict low privilege user to access “admin issues“ for which an unauthorized user can view the “OPEN” and “CLOSED” issues by “Admin” and the affected endpoint is “/issue”.

References

github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/issue.ts
nvd.nist.gov/vuln/detail/CVE-2022-32169
www.mend.io/vulnerability-database/CVE-2022-32169

Detect and mitigate CVE-2022-32169 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →